The document discusses advanced persistent threats (APTs) and signs that an organization may have been targeted by an APT. It defines APTs as sophisticated cyber threats, often foreign governments, that target specific entities over an extended period of time. The summary then lists five signs that an APT attack may be occurring: 1) an increase in elevated logins late at night, 2) widespread backdoor Trojans being installed, 3) unexpected information flows within the network, 4) discovery of unexpected large data bundles, and 5) detection of pass-the-hash hacking tools.

1. CIS 166 Highline Community College
February 2013

2.  Advanced persistent threat (APT) usually refers to a group, such
as a foreign government, with both the capability and the intent to
persistently and effectively target a specific entity.
 The term is commonly used to refer to cyber threats, in particular
that of Internet-enabled espionage using a variety of intelligence
gathering techniques to access sensitive information, but applies
equally to other threats such as that of traditional espionage or
attack.
 Other recognized attack vectors include infected media, supply
chain compromise, and social engineering. Individuals, such as an
individual hacker, are not usually referred to as an APT as they
rarely have the resources to be both advanced and persistent even
if they are intent on gaining access to, or attacking, a specific
target
Source: http://en.wikipedia.org/wiki/Advanced_persistent_threat

3.  Bodmer, Kilger, Carpenter and Jones defined the following APT
criteria:
 Objectives - The end goal of the threat, your adversary
 Timeliness - The time spent probing and accessing your system
 Resources - The level of knowledge and tools used in the event (skills and
methods will weigh on this point)
 Risk tolerance - The extent the threat will go to remain undetected
 Skills and methods - The tools and techniques used throughout the event
 Actions - The precise actions of a threat or numerous threats
 Attack origination points - The number of points where the event
originated
 Numbers involved in the attack - How many internal and external systems
were involved in the event, and how many people's systems have different
influence/importance weights
 Knowledge source - The ability to discern any information regarding any
of the specific threats through online information gathering (you might be
surprised by what you can find by a little proactive)

4.  Actors behind advanced persistent
threats create a growing and
changing risk to organizations'
financial assets, intellectual
property, and reputation by
following a continuous process:
 Target specific organizations for a
singular objective
 Attempt to gain a foothold in the
environment, common tactics
include spear phishing emails.
 Use the compromised systems as
access into the target network
 Deploy additional tools that help
fulfill the attack objective
 Cover tracks to maintain access for
future initiatives

5.  Maltego
 Develop a method and standard to identify targets
within an organization that we can social engineer
 Metasploit
 So we can write URL’s, PDF’s and other items to
send to our target within an organization
 So we can “hack into a system” leaving behind a
username and password for access later on
 ZenMap/NMAP
 So we can identify weak targets on a network

6.  Initial compromise — performed by use of Social engineering (security)
and spear phishing, over email, using zero-day viruses. Another popular
infection method was planting malware on a website that the victim
employees will be likely to visit.
 Establish Foothold — plant remote administration software in victim's
network, create network backdoors and tunnels allowing stealth access to
its infrastructure.
 Escalate Privileges — use exploits and password cracking to acquire
administrator privileges over victim's computer and possibly expand it to
Windows domain administrator accounts.
 Internal Reconnaissance — collect information on surrounding
infrastructure, trust relationships, Windows domain structure.
 Move Laterally — expand control to other workstations, servers and
infrastructure elements and perform data harvesting on them.
 Maintain Presence — ensure continued control over access channels
and credentials acquired in previous steps.
 Complete Mission — exfiltrate stolen data from victim's network.

8.  Abuse and compromise of
“trusted connections” is a key
ingredient for many APTs.
While the targeted organization
may employ sophisticated
technologies in order to prevent
infection and compromise of
their digital systems, criminal
operators often tunnel in to an
organization using the hijacked
credentials of employees or
business partners, or via less-
secured remote offices.
 As such, almost any
organization or remote site may
fall victim to an APT and be
utilized as a soft entry or
information harvesting point.
https://www.damballa.com/knowledge/advanced-persistent-threats.php

10.  So when you find
“awesome”
 Passwords
 Configurations
 Databases
 E-Mail
 The whole company
can be yours, and
often is

11.  To take short cuts
 Not think that they
could be a victim of
social profiling or
grooming
 To “Friday” their job
(not pay attention)
 To forget “details”
 To get around
“roadblocks”

13.  APT sign No. 1: Increase in elevated log-ons late at night
 APTs rapidly escalate from compromising a single
computer to taking over the whole environment. They do
this by reading an authentication database, stealing
credentials, and reusing them.
 They learn which user (or service) accounts have elevated
privileges and permissions, then go through those accounts
to compromise assets within the environment. Often, a high
volume of elevated log-ons occur at night because the
attackers live on the other side of the world. If you suddenly
notice a high volume of elevated log-ons while the
legitimate work crew is at home, start to worry.
 Source: http://www.infoworld.com/d/security/5-signs-
youve-been-hit-advanced-persistent-threat-
204941?page=0,0#sthash.SouQCZzM.dpuf

14.  APT sign No. 2: Finding widespread backdoor Trojans
 APT hackers often install backdoor Trojan programs on
compromised computers within the exploited environment.
They do this to ensure they can always get back in, even if
the captured log-on credentials get changed when the victim
gets a clue. Another related trait: Once discovered, APT
hackers don't go away like normal attackers. Why should
they? They own computers in your environment, and you
aren't likely to see them in a court of law.
 These days, Trojans deployed through social engineering
provide the avenue through which most companies are
exploited. They are fairly common in every environment --
and they proliferate in APT attacks.
 Source: http://www.infoworld.com/d/security/5-signs-
youve-been-hit-advanced-persistent-threat-
204941?page=0,0#sthash.SouQCZzM.dpuf

15.  APT sign No. 3: Unexpected information flows
 If I could pick the single best way to detect APT activities, this
would be it: Look for large, unexpected flows of data from internal
origination points to other internal computers or to external
computers. It could be server to server, server to client, or network
to network.
 Those data flows may also be limited, but targeted -- such as
someone picking up email from a foreign country. I wish every
email client had the ability to show where the latest user logged in
to pick up email and where the last message was accessed. Gmail
and some other cloud email systems already offer this.
 Of course, in order to detect a possible APT, you have to
understand what your data flows look like before your
environment is compromised. Start now and learn your baselines.
 Source: http://www.infoworld.com/d/security/5-signs-youve-
been-hit-advanced-persistent-threat-
204941?page=0,0#sthash.SouQCZzM.dpuf

16.  APT sign No. 4: Discovering unexpected data
bundles
 APTs often aggregate stolen data to internal
collection points before moving it outside. Look for
large (we're talking gigabytes, not megabytes)
chunks of data appearing in places where that data
should not be, especially if compressed in archive
formats not normally used by your company.
 Source:
http://www.infoworld.com/d/security/5-signs-
youve-been-hit-advanced-persistent-threat-
204941?page=0,1#sthash.Jw5b5REJ.dpuf

17.  APT sign No. 5: Detecting pass-the-hash hacking
tools
 Although APTs don't always use pass-the-hash
attack tools, they frequently pop up. Strangely,
after using them, hackers often forget to delete
them. If you find pass-the-hash attack tools
hanging around, it's OK to panic a little or at least
consider them as evidence that should be
investigated further.
 Source:
http://www.infoworld.com/d/security/5-signs-
youve-been-hit-advanced-persistent-threat-
204941?page=0,1#sthash.Jw5b5REJ.dpuf

18.  All the tools you used in this class help you
understand more about APT
 If you know how to do it, you know what to look for
 If you know what to look for you know how to
protect your company
 If you know how to protect your company, you are
going to be one awesome Information Security
Engineer